Theory Elliptic_Axclass

section ‹Formalization using Axiomatic Type Classes›

theory Elliptic_Axclass
imports "HOL-Decision_Procs.Reflective_Field"
begin

subsection ‹Affine Coordinates›

datatype 'a point = Infinity | Point 'a 'a

class ell_field = field +
  assumes two_not_zero: "2 ≠ 0"
begin

definition nonsingular :: "'a ⇒ 'a ⇒ bool" where
  "nonsingular a b = (4 * a ^ 3 + 27 * b ^ 2 ≠ 0)"

definition on_curve :: "'a ⇒ 'a ⇒ 'a point ⇒ bool" where
  "on_curve a b p = (case p of
       Infinity ⇒ True
     | Point x y ⇒ y ^ 2 = x ^ 3 + a * x + b)"

definition add :: "'a ⇒ 'a point ⇒ 'a point ⇒ 'a point" where
  "add a p⇩1 p⇩2 = (case p⇩1 of
       Infinity ⇒ p⇩2
     | Point x⇩1 y⇩1 ⇒ (case p⇩2 of
         Infinity ⇒ p⇩1
       | Point x⇩2 y⇩2 ⇒
           if x⇩1 = x⇩2 then
             if y⇩1 = - y⇩2 then Infinity
             else
               let
                 l = (3 * x⇩1 ^ 2 + a) / (2 * y⇩1);
                 x⇩3 = l ^ 2 - 2 * x⇩1
               in
                 Point x⇩3 (- y⇩1 - l * (x⇩3 - x⇩1))
           else
             let
               l = (y⇩2 - y⇩1) / (x⇩2 - x⇩1);
               x⇩3 = l ^ 2 - x⇩1 - x⇩2
             in
               Point x⇩3 (- y⇩1 - l * (x⇩3 - x⇩1))))"

definition opp :: "'a point ⇒ 'a point" where
  "opp p = (case p of
       Infinity ⇒ Infinity
     | Point x y ⇒ Point x (- y))"

end

lemma on_curve_infinity [simp]: "on_curve a b Infinity"
  by (simp add: on_curve_def)

lemma opp_Infinity [simp]: "opp Infinity = Infinity"
  by (simp add: opp_def)

lemma opp_Point: "opp (Point x y) = Point x (- y)"
  by (simp add: opp_def)

lemma opp_opp: "opp (opp p) = p"
  by (simp add: opp_def split: point.split)

lemma opp_closed:
  "on_curve a b p ⟹ on_curve a b (opp p)"
  by (auto simp add: on_curve_def opp_def power2_eq_square
    split: point.split)

lemma curve_elt_opp:
  assumes "p⇩1 = Point x⇩1 y⇩1"
  and "p⇩2 = Point x⇩2 y⇩2"
  and "on_curve a b p⇩1"
  and "on_curve a b p⇩2"
  and "x⇩1 = x⇩2"
  shows "p⇩1 = p⇩2 ∨ p⇩1 = opp p⇩2"
proof -
  from ‹p⇩1 = Point x⇩1 y⇩1› ‹on_curve a b p⇩1›
  have "y⇩1 ^ 2 = x⇩1 ^ 3 + a * x⇩1 + b"
    by (simp_all add: on_curve_def)
  moreover from ‹p⇩2 = Point x⇩2 y⇩2› ‹on_curve a b p⇩2› ‹x⇩1 = x⇩2›
  have "x⇩1 ^ 3 + a * x⇩1 + b = y⇩2 ^ 2"
    by (simp_all add: on_curve_def)
  ultimately have "y⇩1 = y⇩2 ∨ y⇩1 = - y⇩2"
    by (simp add: square_eq_iff power2_eq_square)
  with ‹p⇩1 = Point x⇩1 y⇩1› ‹p⇩2 = Point x⇩2 y⇩2› ‹x⇩1 = x⇩2› show ?thesis
    by (auto simp add: opp_def)
qed

lemma add_closed:
  assumes "on_curve a b p⇩1" and "on_curve a b p⇩2"
  shows "on_curve a b (add a p⇩1 p⇩2)"
proof (cases p⇩1)
  case (Point x⇩1 y⇩1)
  note Point' = this
  show ?thesis
  proof (cases p⇩2)
    case (Point x⇩2 y⇩2)
    show ?thesis
    proof (cases "x⇩1 = x⇩2")
      case True
      note True' = this
      show ?thesis
      proof (cases "y⇩1 = - y⇩2")
        case True
        with True' Point Point'
        show ?thesis
          by (simp add: on_curve_def add_def)
      next
        case False
        note on_curve1 = ‹on_curve a b p⇩1› [simplified Point' on_curve_def True', simplified]
        from False True' Point Point' assms
        have "y⇩1 ≠ 0" by (auto simp add: on_curve_def)
        with False True' Point Point' assms
        show ?thesis
          apply (simp add: on_curve_def add_def Let_def)
          apply (field on_curve1)
          apply (simp add: two_not_zero)
          done
      qed
    next
      case False
      note on_curve1 = ‹on_curve a b p⇩1› [simplified Point' on_curve_def, simplified]
      note on_curve2 = ‹on_curve a b p⇩2› [simplified Point on_curve_def, simplified]
      from assms show ?thesis
        apply (simp add: on_curve_def add_def Let_def False Point Point')
        apply (field on_curve1 on_curve2)
        apply (simp add: False [symmetric])
        done
    qed
  next
    case Infinity
    with Point ‹on_curve a b p⇩1› show ?thesis
      by (simp add: add_def)
  qed
next
  case Infinity
  with ‹on_curve a b p⇩2› show ?thesis
    by (simp add: add_def)
qed

lemma add_case [consumes 2, case_names InfL InfR Opp Tan Gen]:
  assumes p: "on_curve a b p"
  and q: "on_curve a b q"
  and R1: "⋀p. P Infinity p p"
  and R2: "⋀p. P p Infinity p"
  and R3: "⋀p. on_curve a b p ⟹ P p (opp p) Infinity"
  and R4: "⋀p⇩1 x⇩1 y⇩1 p⇩2 x⇩2 y⇩2 l.
    p⇩1 = Point x⇩1 y⇩1 ⟹ p⇩2 = Point x⇩2 y⇩2 ⟹
    p⇩2 = add a p⇩1 p⇩1 ⟹ y⇩1 ≠ 0 ⟹
    l = (3 * x⇩1 ^ 2 + a) / (2 * y⇩1) ⟹
    x⇩2 = l ^ 2 - 2 * x⇩1 ⟹
    y⇩2 = - y⇩1 - l * (x⇩2 - x⇩1) ⟹
    P p⇩1 p⇩1 p⇩2"
  and R5: "⋀p⇩1 x⇩1 y⇩1 p⇩2 x⇩2 y⇩2 p⇩3 x⇩3 y⇩3 l.
    p⇩1 = Point x⇩1 y⇩1 ⟹ p⇩2 = Point x⇩2 y⇩2 ⟹ p⇩3 = Point x⇩3 y⇩3 ⟹
    p⇩3 = add a p⇩1 p⇩2 ⟹ x⇩1 ≠ x⇩2 ⟹
    l = (y⇩2 - y⇩1) / (x⇩2 - x⇩1) ⟹
    x⇩3 = l ^ 2 - x⇩1 - x⇩2 ⟹
    y⇩3 = - y⇩1 - l * (x⇩3 - x⇩1) ⟹
    P p⇩1 p⇩2 p⇩3"
  shows "P p q (add a p q)"
proof (cases p)
  case Infinity
  then show ?thesis
    by (simp add: add_def R1)
next
  case (Point x⇩1 y⇩1)
  note Point' = this
  show ?thesis
  proof (cases q)
    case Infinity
    with Point show ?thesis
      by (simp add: add_def R2)
  next
    case (Point x⇩2 y⇩2)
    show ?thesis
    proof (cases "x⇩1 = x⇩2")
      case True
      note True' = this
      show ?thesis
      proof (cases "y⇩1 = - y⇩2")
        case True
        with p Point Point' True' R3 [of p] show ?thesis
          by (simp add: add_def opp_def)
      next
        case False
        from True' Point Point' p q have "(y⇩1 - y⇩2) * (y⇩1 + y⇩2) = 0"
          by (simp add: on_curve_def ring_distribs power2_eq_square)
        with False have "y⇩1 = y⇩2"
          by (simp add: eq_neg_iff_add_eq_0)
        with False True' Point Point' show ?thesis
          apply simp
          apply (rule R4)
          apply (auto simp add: add_def Let_def)
          done
      qed
    next
      case False
      with Point Point' show ?thesis
        apply -
        apply (rule R5)
        apply (auto simp add: add_def Let_def)
        done
    qed
  qed
qed

lemma eq_opp_is_zero: "((x::'a::ell_field) = - x) = (x = 0)"
proof
  assume "x = - x"
  have "2 * x = x + x" by simp
  also from ‹x = - x›
  have "… = - x + x" by simp
  also have "… = 0" by simp
  finally have "2 * x = 0" .
  with two_not_zero [where 'a='a] show "x = 0"
    by simp
qed simp

lemma add_casew [consumes 2, case_names InfL InfR Opp Gen]:
  assumes p: "on_curve a b p"
  and q: "on_curve a b q"
  and R1: "⋀p. P Infinity p p"
  and R2: "⋀p. P p Infinity p"
  and R3: "⋀p. on_curve a b p ⟹ P p (opp p) Infinity"
  and R4: "⋀p⇩1 x⇩1 y⇩1 p⇩2 x⇩2 y⇩2 p⇩3 x⇩3 y⇩3 l.
    p⇩1 = Point x⇩1 y⇩1 ⟹ p⇩2 = Point x⇩2 y⇩2 ⟹ p⇩3 = Point x⇩3 y⇩3 ⟹
    p⇩3 = add a p⇩1 p⇩2 ⟹ p⇩1 ≠ opp p⇩2 ⟹
    x⇩1 = x⇩2 ∧ y⇩1 = y⇩2 ∧ l = (3 * x⇩1 ^ 2 + a) / (2 * y⇩1) ∨
    x⇩1 ≠ x⇩2 ∧ l = (y⇩2 - y⇩1) / (x⇩2 - x⇩1) ⟹
    x⇩3 = l ^ 2 - x⇩1 - x⇩2 ⟹
    y⇩3 = - y⇩1 - l * (x⇩3 - x⇩1) ⟹
    P p⇩1 p⇩2 p⇩3"
  shows "P p q (add a p q)"
  using p q
  apply (rule add_case)
  apply (rule R1)
  apply (rule R2)
  apply (rule R3)
  apply assumption
  apply (rule R4)
  apply assumption+
  apply (simp add: opp_def eq_opp_is_zero)
  apply simp
  apply simp
  apply simp
  apply (rule R4)
  apply assumption+
  apply (simp add: opp_def)
  apply simp
  apply assumption+
  done

definition
  "is_tangent p q = (p ≠ Infinity ∧ p = q ∧ p ≠ opp q)"

definition
  "is_generic p q =
     (p ≠ Infinity ∧ q ≠ Infinity ∧
      p ≠ q ∧ p ≠ opp q)"

lemma diff_neq0:
  "(a::'a::ring) ≠ b ⟹ a - b ≠ 0"
  "a ≠ b ⟹ b - a ≠ 0"
  by simp_all

lemma minus2_not0: "(-2::'a::ell_field) ≠ 0"
  using two_not_zero [where 'a='a]
  by simp

lemmas [simp] = minus2_not0 [simplified]

declare two_not_zero [simplified, simp add]

lemma spec1_assoc:
  assumes p⇩1: "on_curve a b p⇩1"
  and p⇩2: "on_curve a b p⇩2"
  and p⇩3: "on_curve a b p⇩3"
  and "is_generic p⇩1 p⇩2"
  and "is_generic p⇩2 p⇩3"
  and "is_generic (add a p⇩1 p⇩2) p⇩3"
  and "is_generic p⇩1 (add a p⇩2 p⇩3)"
  shows "add a p⇩1 (add a p⇩2 p⇩3) = add a (add a p⇩1 p⇩2) p⇩3"
  using p⇩1 p⇩2 assms
proof (induct rule: add_case)
  case InfL
  show ?case by (simp add: add_def)
next
  case InfR
  show ?case by (simp add: add_def)
next
  case Opp
  then show ?case by (simp add: is_generic_def)
next
  case Tan
  then show ?case by (simp add: is_generic_def)
next
  case (Gen p⇩1 x⇩1 y⇩1 p⇩2 x⇩2 y⇩2 p⇩4 x⇩4 y⇩4 l)
  with ‹on_curve a b p⇩2› ‹on_curve a b p⇩3›
  show ?case
  proof (induct rule: add_case)
    case InfL
    then show ?case by (simp add: is_generic_def)
  next
    case InfR
    then show ?case by (simp add: is_generic_def)
  next
    case Opp
    then show ?case by (simp add: is_generic_def)
  next
    case Tan
    then show ?case by (simp add: is_generic_def)
  next
    case (Gen p⇩2 x⇩2' y⇩2' p⇩3 x⇩3 y⇩3 p⇩5 x⇩5 y⇩5 l⇩1)
    from ‹on_curve a b p⇩2› ‹on_curve a b p⇩3› ‹p⇩5 = add a p⇩2 p⇩3›
    have "on_curve a b p⇩5" by (simp add: add_closed)
    with ‹on_curve a b p⇩1› show ?case using Gen [simplified ‹p⇩2 = Point x⇩2' y⇩2'›]
    proof (induct rule: add_case)
      case InfL
      then show ?case by (simp add: is_generic_def)
    next
      case InfR
      then show ?case by (simp add: is_generic_def)
    next
      case (Opp p)
      from ‹is_generic p (opp p)›
      show ?case by (simp add: is_generic_def opp_opp)
    next
      case Tan
      then show ?case by (simp add: is_generic_def)
    next
      case (Gen p⇩1 x⇩1' y⇩1' p⇩5' x⇩5' y⇩5' p⇩6 x⇩6 y⇩6 l⇩2)
      from ‹on_curve a b p⇩1› ‹on_curve a b (Point x⇩2' y⇩2')›
        ‹p⇩4 = add a p⇩1 (Point x⇩2' y⇩2')›
      have "on_curve a b p⇩4" by (simp add: add_closed)
      then show ?case using ‹on_curve a b p⇩3› Gen
      proof (induct rule: add_case)
        case InfL
        then show ?case by (simp add: is_generic_def)
      next
        case InfR
        then show ?case by (simp add: is_generic_def)
      next
        case (Opp p)
        from ‹is_generic p (opp p)›
        show ?case by (simp add: is_generic_def opp_opp)
      next
        case Tan
        then show ?case by (simp add: is_generic_def)
      next
        case (Gen p⇩4' x⇩4' y⇩4' p⇩3' x⇩3' y⇩3' p⇩7 x⇩7 y⇩7 l⇩3)
        from ‹p⇩4' = Point x⇩4' y⇩4'› ‹p⇩4' = Point x⇩4 y⇩4›
        have p⇩4: "x⇩4' = x⇩4" "y⇩4' = y⇩4" by simp_all
        from ‹p⇩3' = Point x⇩3' y⇩3'› ‹p⇩3' = Point x⇩3 y⇩3›
        have p⇩3: "x⇩3' = x⇩3" "y⇩3' = y⇩3" by simp_all
        from ‹p⇩1 = Point x⇩1' y⇩1'› ‹p⇩1 = Point x⇩1 y⇩1›
        have p⇩1: "x⇩1' = x⇩1" "y⇩1' = y⇩1" by simp_all
        from ‹p⇩5' = Point x⇩5' y⇩5'› ‹p⇩5' = Point x⇩5 y⇩5›
        have p⇩5: "x⇩5' = x⇩5" "y⇩5' = y⇩5" by simp_all
        from ‹Point x⇩2' y⇩2' = Point x⇩2 y⇩2›
        have p⇩2: "x⇩2' = x⇩2" "y⇩2' = y⇩2" by simp_all
        note ps = p⇩1 p⇩2 p⇩3 p⇩4 p⇩5
        note ps' =
          ‹on_curve a b p⇩1› [simplified ‹p⇩1 = Point x⇩1 y⇩1› on_curve_def, simplified]
          ‹on_curve a b p⇩2› [simplified ‹p⇩2 = Point x⇩2 y⇩2› on_curve_def, simplified]
          ‹on_curve a b p⇩3› [simplified ‹p⇩3 = Point x⇩3 y⇩3› on_curve_def, simplified]
        show ?case
          apply (simp add: ‹p⇩6 = Point x⇩6 y⇩6› ‹p⇩7 = Point x⇩7 y⇩7›)
          apply (simp only: ps
            ‹x⇩6 = l⇩2⇧2 - x⇩1' - x⇩5'› ‹x⇩7 = l⇩3⇧2 - x⇩4' - x⇩3'›
            ‹y⇩6 = - y⇩1' - l⇩2 * (x⇩6 - x⇩1')› ‹y⇩7 = - y⇩4' - l⇩3 * (x⇩7 - x⇩4')›
            ‹l⇩2 = (y⇩5' - y⇩1') / (x⇩5' - x⇩1')› ‹l⇩3 = (y⇩3' - y⇩4') / (x⇩3' - x⇩4')›
            ‹l⇩1 = (y⇩3 - y⇩2') / (x⇩3 - x⇩2')› ‹l = (y⇩2 - y⇩1) / (x⇩2 - x⇩1)›
            ‹x⇩5 = l⇩1⇧2 - x⇩2' - x⇩3› ‹y⇩5 = - y⇩2' - l⇩1 * (x⇩5 - x⇩2')›
            ‹x⇩4 = l⇧2 - x⇩1 - x⇩2› ‹y⇩4 = - y⇩1 - l * (x⇩4 - x⇩1)›)
          apply (rule conjI)
          apply (field ps')
          apply (rule conjI)
          apply (simp add: ‹x⇩2' ≠ x⇩3› [simplified ‹x⇩2' = x⇩2›, symmetric])
          apply (rule conjI)
          apply (rule notI)
          apply (ring (prems) ps'(1-2))
          apply (cut_tac ‹x⇩1' ≠ x⇩5'› [simplified ‹x⇩5' = x⇩5› ‹x⇩1' = x⇩1› ‹x⇩5 = l⇩1⇧2 - x⇩2' - x⇩3›
            ‹l⇩1 = (y⇩3 - y⇩2') / (x⇩3 - x⇩2')› ‹y⇩2' = y⇩2› ‹x⇩2' = x⇩2›])
          apply (erule notE)
          apply (rule sym)
          apply (field ps'(1-2))
          apply (simp add: ‹x⇩2' ≠ x⇩3› [simplified ‹x⇩2' = x⇩2›, symmetric])
          apply (rule conjI)
          apply (simp add: ‹x⇩1 ≠ x⇩2› [symmetric])
          apply (rule notI)
          apply (ring (prems) ps'(1-2))
          apply (cut_tac ‹x⇩4' ≠ x⇩3'› [simplified ‹x⇩4' = x⇩4› ‹x⇩3' = x⇩3› ‹x⇩4 = l⇧2 - x⇩1 - x⇩2›
            ‹l = (y⇩2 - y⇩1) / (x⇩2 - x⇩1)›])
          apply (erule notE)
          apply (rule sym)
          apply (field ps'(1-2))
          apply (simp add: ‹x⇩1 ≠ x⇩2› [symmetric])
          apply (field ps')
          apply (rule conjI)
          apply (rule notI)
          apply (ring (prems) ps'(1-2))
          apply (cut_tac ‹x⇩1' ≠ x⇩5'› [simplified ‹x⇩5' = x⇩5› ‹x⇩1' = x⇩1› ‹x⇩5 = l⇩1⇧2 - x⇩2' - x⇩3›
            ‹l⇩1 = (y⇩3 - y⇩2') / (x⇩3 - x⇩2')› ‹y⇩2' = y⇩2› ‹x⇩2' = x⇩2›])
          apply (erule notE)
          apply (rule sym)
          apply (field ps'(1-2))
          apply (simp add: ‹x⇩2' ≠ x⇩3› [simplified ‹x⇩2' = x⇩2›, symmetric])
          apply (rule conjI)
          apply (simp add: ‹x⇩2' ≠ x⇩3› [simplified ‹x⇩2' = x⇩2›, symmetric])
          apply (rule conjI)
          apply (rule notI)
          apply (ring (prems) ps'(1-2))
          apply (cut_tac ‹x⇩4' ≠ x⇩3'› [simplified ‹x⇩4' = x⇩4› ‹x⇩3' = x⇩3› ‹x⇩4 = l⇧2 - x⇩1 - x⇩2›
            ‹l = (y⇩2 - y⇩1) / (x⇩2 - x⇩1)›])
          apply (erule notE)
          apply (rule sym)
          apply (field ps'(1-2))
          apply (simp_all add: ‹x⇩1 ≠ x⇩2› [symmetric])
          done
      qed
    qed
  qed
qed

lemma spec2_assoc:
  assumes p⇩1: "on_curve a b p⇩1"
  and p⇩2: "on_curve a b p⇩2"
  and p⇩3: "on_curve a b p⇩3"
  and "is_generic p⇩1 p⇩2"
  and "is_tangent p⇩2 p⇩3"
  and "is_generic (add a p⇩1 p⇩2) p⇩3"
  and "is_generic p⇩1 (add a p⇩2 p⇩3)"
  shows "add a p⇩1 (add a p⇩2 p⇩3) = add a (add a p⇩1 p⇩2) p⇩3"
  using p⇩1 p⇩2 assms
proof (induct rule: add_case)
  case InfL
  show ?case by (simp add: add_def)
next
  case InfR
  show ?case by (simp add: add_def)
next
  case Opp
  then show ?case by (simp add: is_generic_def)
next
  case Tan
  then show ?case by (simp add: is_generic_def)
next
  case (Gen p⇩1 x⇩1 y⇩1 p⇩2 x⇩2 y⇩2 p⇩4 x⇩4 y⇩4 l)
  with ‹on_curve a b p⇩2› ‹on_curve a b p⇩3›
  show ?case
  proof (induct rule: add_case)
    case InfL
    then show ?case by (simp add: is_generic_def)
  next
    case InfR
    then show ?case by (simp add: is_generic_def)
  next
    case Opp
    then show ?case by (simp add: is_generic_def)
  next
    case (Tan p⇩2 x⇩2' y⇩2' p⇩5 x⇩5 y⇩5 l⇩1)
    from ‹on_curve a b p⇩2› ‹p⇩5 = add a p⇩2 p⇩2›
    have "on_curve a b p⇩5" by (simp add: add_closed)
    with ‹on_curve a b p⇩1› show ?case using Tan
    proof (induct rule: add_case)
      case InfL
      then show ?case by (simp add: is_generic_def)
    next
      case InfR
      then show ?case by (simp add: is_generic_def)
    next
      case (Opp p)
      from ‹is_generic p (opp p)› ‹on_curve a b p›
      show ?case by (simp add: is_generic_def opp_opp)
    next
      case Tan
      then show ?case by (simp add: is_generic_def)
    next
      case (Gen p⇩1 x⇩1' y⇩1' p⇩5' x⇩5' y⇩5' p⇩6 x⇩6 y⇩6 l⇩2)
      from ‹on_curve a b p⇩1› ‹on_curve a b p⇩2› ‹p⇩4 = add a p⇩1 p⇩2›
      have "on_curve a b p⇩4" by (simp add: add_closed)
      then show ?case using ‹on_curve a b p⇩2› Gen
      proof (induct rule: add_case)
        case InfL
        then show ?case by (simp add: is_generic_def)
      next
        case InfR
        then show ?case by (simp add: is_generic_def)
      next
        case (Opp p)
        from ‹is_generic p (opp p)›
        show ?case by (simp add: is_generic_def opp_opp)
      next
        case Tan
        then show ?case by (simp add: is_generic_def)
      next
        case (Gen p⇩4' x⇩4' y⇩4' p⇩3' x⇩3' y⇩3' p⇩7 x⇩7 y⇩7 l⇩3)
        from
          ‹on_curve a b p⇩1› ‹p⇩1 = Point x⇩1 y⇩1›
          ‹on_curve a b p⇩2› ‹p⇩2 = Point x⇩2 y⇩2›
        have
          y1: "y⇩1 ^ 2 = x⇩1 ^ 3 + a * x⇩1 + b" and
          y2: "y⇩2 ^ 2 = x⇩2 ^ 3 + a * x⇩2 + b"
          by (simp_all add: on_curve_def)
        from
          ‹p⇩5' = Point x⇩5' y⇩5'›
          ‹p⇩5' = Point x⇩5 y⇩5›
          ‹p⇩4' = Point x⇩4' y⇩4'›
          ‹p⇩4' = Point x⇩4 y⇩4›
          ‹p⇩3' = Point x⇩2' y⇩2'›
          ‹p⇩3' = Point x⇩2 y⇩2›
          ‹p⇩3' = Point x⇩3' y⇩3'›
          ‹p⇩1 = Point x⇩1' y⇩1'›
          ‹p⇩1 = Point x⇩1 y⇩1›
        have ps:
          "x⇩5' = x⇩5" "y⇩5' = y⇩5"
          "x⇩4' = x⇩4" "y⇩4' = y⇩4" "x⇩3' = x⇩2" "y⇩3' = y⇩2" "x⇩2' = x⇩2" "y⇩2' = y⇩2"
          "x⇩1' = x⇩1" "y⇩1' = y⇩1"
          by simp_all
        show ?case
          apply (simp add: ‹p⇩6 = Point x⇩6 y⇩6› ‹p⇩7 = Point x⇩7 y⇩7›)
          apply (simp only: ps
            ‹x⇩7 = l⇩3 ^ 2 - x⇩4' - x⇩3'›
            ‹y⇩7 = - y⇩4' - l⇩3 * (x⇩7 - x⇩4')›
            ‹l⇩3 = (y⇩3' - y⇩4') / (x⇩3' - x⇩4')›
            ‹x⇩6 = l⇩2 ^ 2 - x⇩1' - x⇩5'›
            ‹y⇩6 = - y⇩1' - l⇩2 * (x⇩6 - x⇩1')›
            ‹l⇩2 = (y⇩5' - y⇩1') / (x⇩5' - x⇩1')›
            ‹x⇩5 = l⇩1 ^ 2 - 2 * x⇩2'›
            ‹y⇩5 = - y⇩2' - l⇩1 * (x⇩5 - x⇩2')›
            ‹l⇩1 = (3 * x⇩2' ^ 2 + a) / (2 * y⇩2')›
            ‹x⇩4 = l ^ 2 - x⇩1 - x⇩2›
            ‹y⇩4 = - y⇩1 - l * (x⇩4 - x⇩1)›
            ‹l = (y⇩2 - y⇩1) / (x⇩2 - x⇩1)›)
          apply (rule conjI)
          apply (field y1 y2)
          apply (intro conjI)
          apply (simp add: ‹y⇩2' ≠ 0› [simplified ‹y⇩2' = y⇩2›])
          apply (rule notI)
          apply (ring (prems) y1 y2)
          apply (rule notE [OF ‹x⇩1' ≠ x⇩5'› [simplified
            ‹x⇩5 = l⇩1 ^ 2 - 2 * x⇩2'›
            ‹l⇩1 = (3 * x⇩2' ^ 2 + a) / (2 * y⇩2')›
            ‹x⇩1' = x⇩1› ‹x⇩2' = x⇩2› ‹y⇩2' = y⇩2› ‹x⇩5' = x⇩5›]])
          apply (rule sym)
          apply (field y1 y2)
          apply (simp add: ‹y⇩2' ≠ 0› [simplified ‹y⇩2' = y⇩2›])
          apply (simp add: ‹x⇩1 ≠ x⇩2› [symmetric])
          apply (rule notI)
          apply (ring (prems) y1 y2)
          apply (rule notE [OF ‹x⇩4' ≠ x⇩3'› [simplified
            ‹x⇩4 = l ^ 2 - x⇩1 - x⇩2›
            ‹l = (y⇩2 - y⇩1) / (x⇩2 - x⇩1)›
            ‹x⇩4' = x⇩4› ‹x⇩3' = x⇩2›]])
          apply (rule sym)
          apply (field y1 y2)
          apply (simp add: ‹x⇩1 ≠ x⇩2› [symmetric])
          apply (field y1 y2)
          apply (intro conjI)
          apply (rule notI)
          apply (ring (prems) y1 y2)
          apply (rule notE [OF ‹x⇩1' ≠ x⇩5'› [simplified
            ‹x⇩5 = l⇩1 ^ 2 - 2 * x⇩2'›
            ‹l⇩1 = (3 * x⇩2' ^ 2 + a) / (2 * y⇩2')›
            ‹x⇩1' = x⇩1› ‹x⇩2' = x⇩2› ‹y⇩2' = y⇩2› ‹x⇩5' = x⇩5›]])
          apply (rule sym)
          apply (field y1 y2)
          apply (simp add: ‹y⇩2' ≠ 0› [simplified ‹y⇩2' = y⇩2›])
          apply (simp add: ‹y⇩2' ≠ 0› [simplified ‹y⇩2' = y⇩2›])
          apply (rule notI)
          apply (ring (prems) y1 y2)
          apply (rule notE [OF ‹x⇩4' ≠ x⇩3'› [simplified
            ‹x⇩4 = l ^ 2 - x⇩1 - x⇩2›
            ‹l = (y⇩2 - y⇩1) / (x⇩2 - x⇩1)›
            ‹x⇩4' = x⇩4› ‹x⇩3' = x⇩2›]])
          apply (rule sym)
          apply (field y1 y2)
          apply (simp_all add: ‹x⇩1 ≠ x⇩2› [symmetric])
          done
      qed
    qed
  next
    case (Gen p⇩3 x⇩3 y⇩3 p⇩5 x⇩5 y⇩5 p⇩6 x⇩6 y⇩6 l⇩1)
    then show ?case by (simp add: is_tangent_def)
  qed
qed

lemma spec3_assoc:
  assumes p⇩1: "on_curve a b p⇩1"
  and p⇩2: "on_curve a b p⇩2"
  and p⇩3: "on_curve a b p⇩3"
  and "is_generic p⇩1 p⇩2"
  and "is_tangent p⇩2 p⇩3"
  and "is_generic (add a p⇩1 p⇩2) p⇩3"
  and "is_tangent p⇩1 (add a p⇩2 p⇩3)"
  shows "add a p⇩1 (add a p⇩2 p⇩3) = add a (add a p⇩1 p⇩2) p⇩3"
  using p⇩1 p⇩2 assms
proof (induct rule: add_case)
  case InfL
  then show ?case by (simp add: is_generic_def)
next
  case InfR
  then show ?case by (simp add: is_generic_def)
next
  case Opp
  then show ?case by (simp add: is_generic_def)
next
  case Tan
  then show ?case by (simp add: is_generic_def)
next
  case (Gen p⇩1 x⇩1 y⇩1 p⇩2 x⇩2 y⇩2 p⇩4 x⇩4 y⇩4 l)
  with ‹on_curve a b p⇩2› ‹on_curve a b p⇩3›
  show ?case
  proof (induct rule: add_case)
    case InfL
    then show ?case by (simp add: is_generic_def)
  next
    case InfR
    then show ?case by (simp add: is_generic_def)
  next
    case Opp
    then show ?case by (simp add: is_tangent_def opp_opp)
  next
    case (Tan p⇩2 x⇩2' y⇩2' p⇩5 x⇩5 y⇩5 l⇩1)
    from ‹on_curve a b p⇩2› ‹p⇩5 = add a p⇩2 p⇩2›
    have "on_curve a b p⇩5" by (simp add: add_closed)
    with ‹on_curve a b p⇩1› show ?case using Tan
    proof (induct rule: add_case)
      case InfL
      then show ?case by (simp add: is_generic_def)
    next
      case InfR
      then show ?case by (simp add: is_generic_def)
    next
      case Opp
      then show ?case by (simp add: is_tangent_def opp_opp)
    next
      case (Tan p⇩1 x⇩1' y⇩1' p⇩6 x⇩6 y⇩6 l⇩2)
      from ‹on_curve a b p⇩1› ‹on_curve a b p⇩2› ‹p⇩4 = add a p⇩1 p⇩2›
      have "on_curve a b p⇩4" by (simp add: add_closed)
      then show ?case using ‹on_curve a b p⇩2› Tan
      proof (induct rule: add_case)
        case InfL
        then show ?case by (simp add: is_generic_def)
      next
        case InfR
        then show ?case by (simp add: is_generic_def)
      next
        case (Opp p)
        from ‹is_generic p (opp p)›
        show ?case by (simp add: is_generic_def opp_opp)
      next
        case Tan
        then show ?case by (simp add: is_generic_def)
      next
        case (Gen p⇩4' x⇩4' y⇩4' p⇩2' x⇩2'' y⇩2'' p⇩7 x⇩7 y⇩7 l⇩3)
        from
          ‹on_curve a b p⇩1› ‹p⇩1 = Point x⇩1 y⇩1›
          ‹on_curve a b p⇩2› ‹p⇩2 = Point x⇩2 y⇩2›
        have
          y1: "y⇩1 ^ 2 = x⇩1 ^ 3 + a * x⇩1 + b" and
          y2: "y⇩2 ^ 2 = x⇩2 ^ 3 + a * x⇩2 + b"
          by (simp_all add: on_curve_def)
        from
          ‹p⇩4' = Point x⇩4' y⇩4'›
          ‹p⇩4' = Point x⇩4 y⇩4›
          ‹p⇩2' = Point x⇩2' y⇩2'›
          ‹p⇩2' = Point x⇩2 y⇩2›
          ‹p⇩2' = Point x⇩2'' y⇩2''›
          ‹p⇩1 = Point x⇩1' y⇩1'›
          ‹p⇩1 = Point x⇩1 y⇩1›
          ‹p⇩1 = Point x⇩5 y⇩5›
        have ps:
          "x⇩4' = x⇩4" "y⇩4' = y⇩4" "x⇩2' = x⇩2" "y⇩2' = y⇩2" "x⇩2'' = x⇩2" "y⇩2'' = y⇩2"
          "x⇩1' = x⇩5" "y⇩1' = y⇩5" "x⇩1 = x⇩5" "y⇩1 = y⇩5"
          by simp_all
        note qs =
          ‹x⇩7 = l⇩3 ^ 2 - x⇩4' - x⇩2''›
          ‹y⇩7 = - y⇩4' - l⇩3 * (x⇩7 - x⇩4')›
          ‹l⇩3 = (y⇩2'' - y⇩4') / (x⇩2'' - x⇩4')›
          ‹x⇩6 = l⇩2 ^ 2 - 2 * x⇩1'›
          ‹y⇩6 = - y⇩1' - l⇩2 * (x⇩6 - x⇩1')›
          ‹x⇩5 = l⇩1 ^ 2 - 2 * x⇩2'›
          ‹y⇩5 = - y⇩2' - l⇩1 * (x⇩5 - x⇩2')›
          ‹l⇩1 = (3 * x⇩2' ^ 2 + a) / (2 * y⇩2')›
          ‹l⇩2 = (3 * x⇩1' ^ 2 + a) / (2 * y⇩1')›
          ‹x⇩4 = l ^ 2 - x⇩1 - x⇩2›
          ‹y⇩4 = - y⇩1 - l * (x⇩4 - x⇩1)›
          ‹l = (y⇩2 - y⇩1) / (x⇩2 - x⇩1)›
        from ‹y⇩2' ≠ 0› ‹y⇩2' = y⇩2›
        have "2 * y⇩2 ≠ 0" by simp
        show ?case
          apply (simp add: ‹p⇩6 = Point x⇩6 y⇩6› ‹p⇩7 = Point x⇩7 y⇩7›)
          apply (simp only: ps qs)
          apply (rule conjI)
          apply (field y2)
          apply (intro conjI)
          apply (rule notI)
          apply (ring (prems))
          apply (rule notE [OF ‹y⇩1' ≠ 0›])
          apply (simp only: ps qs)
          apply field
          apply (rule ‹2 * y⇩2 ≠ 0›)
          apply (rule notI)
          apply (ring (prems))
          apply (rule notE [OF ‹x⇩1 ≠ x⇩2›])
          apply (rule sym)
          apply (simp only: ps qs)
          apply field
          apply (rule ‹2 * y⇩2 ≠ 0›)
          apply (rule ‹2 * y⇩2 ≠ 0›)
          apply (rule notI)
          apply (ring (prems))
          apply (rule notE [OF ‹x⇩4' ≠ x⇩2''›])
          apply (rule sym)
          apply (simp only: ps qs)
          apply field
          apply (intro conjI)
          apply (rule ‹2 * y⇩2 ≠ 0›)
          apply (erule thin_rl)
          apply (rule notI)
          apply (ring (prems))
          apply (rule notE [OF ‹x⇩1 ≠ x⇩2›])
          apply (rule sym)
          apply (simp only: ps qs)
          apply field
          apply (rule ‹2 * y⇩2 ≠ 0›)
          apply (field y2)
          apply (intro conjI)
          apply (rule notI)
          apply (ring (prems))
          apply (rule notE [OF ‹y⇩1' ≠ 0›])
          apply (simp only: ps qs)
          apply field
          apply (rule ‹2 * y⇩2 ≠ 0›)
          apply (rule notI)
          apply (ring (prems))
          apply (rule notE [OF ‹x⇩4' ≠ x⇩2''›])
          apply (rule sym)
          apply (simp only: ps qs)
          apply field
          apply (erule thin_rl)
          apply (rule conjI)
          apply (rule ‹2 * y⇩2 ≠ 0›)
          apply (rule notI)
          apply (ring (prems))
          apply (rule notE [OF ‹x⇩1 ≠ x⇩2›])
          apply (rule sym)
          apply (simp only: ps qs)
          apply field
          apply (rule ‹2 * y⇩2 ≠ 0›)
          apply (rule ‹2 * y⇩2 ≠ 0›)
          apply (rule notI)
          apply (ring (prems))
          apply (rule notE [OF ‹x⇩1 ≠ x⇩2›])
          apply (rule sym)
          apply (simp only: ps qs)
          apply field
          apply (rule ‹2 * y⇩2 ≠ 0›)
          done
      qed
    next
      case Gen
      then show ?case by (simp add: is_tangent_def)
    qed
  next
    case Gen
    then show ?case by (simp add: is_tangent_def)
  qed
qed

lemma add_0_l: "add a Infinity p = p"
  by (simp add: add_def)

lemma add_0_r: "add a p Infinity = p"
  by (simp add: add_def split: point.split)

lemma add_opp: "on_curve a b p ⟹ add a p (opp p) = Infinity"
  by (simp add: add_def opp_def on_curve_def split: point.split_asm)

lemma add_comm:
  assumes "on_curve a b p⇩1" "on_curve a b p⇩2"
  shows "add a p⇩1 p⇩2 = add a p⇩2 p⇩1"
proof (cases p⇩1)
  case Infinity
  then show ?thesis by (simp add: add_0_l add_0_r)
next
  case (Point x⇩1 y⇩1)
  note Point' = this
  with ‹on_curve a b p⇩1›
  have y1: "y⇩1 ^ 2 = x⇩1 ^ 3 + a * x⇩1 + b"
    by (simp add: on_curve_def)
  show ?thesis
  proof (cases p⇩2)
    case Infinity
    then show ?thesis by (simp add: add_0_l add_0_r)
  next
    case (Point x⇩2 y⇩2)
    with ‹on_curve a b p⇩2›
    have y2: "y⇩2 ^ 2 = x⇩2 ^ 3 + a * x⇩2 + b"
      by (simp add: on_curve_def)
    show ?thesis
    proof (cases "x⇩1 = x⇩2")
      case True
      show ?thesis
      proof (cases "y⇩1 = - y⇩2")
        case True
        with Point Point' ‹x⇩1 = x⇩2› show ?thesis
          by (simp add: add_def)
      next
        case False
        with y1 y2 [symmetric] ‹x⇩1 = x⇩2› Point Point'
        show ?thesis
          by (simp add: power2_eq_square square_eq_iff)
      qed
    next
      case False
      with Point Point' show ?thesis
        apply (simp add: add_def Let_def)
        apply (rule conjI)
        apply field
        apply simp
        apply field
        apply simp
        done
    qed
  qed
qed

lemma uniq_opp:
  assumes "add a p⇩1 p⇩2 = Infinity"
  shows "p⇩2 = opp p⇩1"
  using assms
  by (auto simp add: add_def opp_def Let_def
    split: point.split_asm if_split_asm)

lemma uniq_zero:
  assumes ab: "nonsingular a b"
  and p⇩1: "on_curve a b p⇩1"
  and p⇩2: "on_curve a b p⇩2"
  and add: "add a p⇩1 p⇩2 = p⇩2"
  shows "p⇩1 = Infinity"
  using p⇩1 p⇩2 assms
proof (induct rule: add_case)
  case InfL
  show ?case ..
next
  case InfR
  then show ?case by simp
next
  case Opp
  then show ?case by (simp add: opp_def split: point.split_asm)
next
  case (Tan p⇩1 x⇩1 y⇩1 p⇩2 x⇩2 y⇩2 l)
  from ‹p⇩1 = Point x⇩1 y⇩1› ‹p⇩2 = Point x⇩2 y⇩2› ‹p⇩2 = p⇩1›
  have "x⇩2 = x⇩1" "y⇩2 = y⇩1" by simp_all
  with ‹y⇩2 = - y⇩1 - l * (x⇩2 - x⇩1)› ‹y⇩1 ≠ 0›
  have "- y⇩1 = y⇩1" by simp
  with ‹y⇩1 ≠ 0›
  show ?case by simp
next
  case (Gen p⇩1 x⇩1 y⇩1 p⇩2 x⇩2 y⇩2 p⇩3 x⇩3 y⇩3 l)
  then have y1: "y⇩1 ^ 2 = x⇩1 ^ 3 + a * x⇩1 + b"
    and y2: "y⇩2 ^ 2 = x⇩2 ^ 3 + a * x⇩2 + b"
    by (simp_all add: on_curve_def)
  from ‹p⇩3 = p⇩2› ‹p⇩2 = Point x⇩2 y⇩2› ‹p⇩3 = Point x⇩3 y⇩3›
  have ps: "x⇩3 = x⇩2" "y⇩3 = y⇩2" by simp_all
  with ‹y⇩3 = - y⇩1 - l * (x⇩3 - x⇩1)›
  have "y⇩2 = - y⇩1 - l * (x⇩2 - x⇩1)" by simp
  also from ‹l = (y⇩2 - y⇩1) / (x⇩2 - x⇩1)› ‹x⇩1 ≠ x⇩2›
  have "l * (x⇩2 - x⇩1) = y⇩2 - y⇩1"
    by simp
  also have "- y⇩1 - (y⇩2 - y⇩1) = (- y⇩1 + y⇩1) + - y⇩2"
    by simp
  finally have "y⇩2 = 0" by simp
  with ‹p⇩2 = Point x⇩2 y⇩2› ‹on_curve a b p⇩2›
  have x2: "x⇩2 ^ 3 = - (a * x⇩2 + b)"
    by (simp add: on_curve_def eq_neg_iff_add_eq_0 add.assoc del: minus_add_distrib)
  from ‹x⇩3 = l ^ 2 - x⇩1 - x⇩2› ‹x⇩3 = x⇩2›
  have "l ^ 2 - x⇩1 - x⇩2 - x⇩2 = x⇩2 - x⇩2" by simp
  then have "l ^ 2 - x⇩1 - 2 * x⇩2 = 0" by simp
  then have "x⇩2 * (l ^ 2 - x⇩1 - 2 * x⇩2) = x⇩2 * 0" by simp
  then have "(x⇩2 - x⇩1) * (2 * a * x⇩2 + 3 * b) = 0"
    apply (simp only: ‹l = (y⇩2 - y⇩1) / (x⇩2 - x⇩1)› ‹y⇩2 = 0›)
    apply (field (prems) y1 x2)
    apply (ring y1 x2)
    apply (simp add: ‹x⇩1 ≠ x⇩2› [symmetric])
    done
  with ‹x⇩1 ≠ x⇩2› have "2 * a * x⇩2 + 3 * b = 0" by simp
  then have "2 * a * x⇩2 = - (3 * b)"
    by (simp add: eq_neg_iff_add_eq_0)
  from y2 [symmetric] ‹y⇩2 = 0›
  have "(- (2 * a)) ^ 3 * (x⇩2 ^ 3 + a * x⇩2 + b) = 0"
    by simp
  then have "b * (4 * a ^ 3 + 27 * b ^ 2) = 0"
    apply (ring (prems) ‹2 * a * x⇩2 = - (3 * b)›)
    apply (ring ‹2 * a * x⇩2 = - (3 * b)›)
    done
  with ab have "b = 0" by (simp add: nonsingular_def)
  with ‹2 * a * x⇩2 + 3 * b = 0› ab
  have "x⇩2 = 0" by (simp add: nonsingular_def)
  from ‹l ^ 2 - x⇩1 - 2 * x⇩2 = 0›
  show ?case
    apply (simp add: ‹x⇩2 = 0› ‹y⇩2 = 0› ‹l = (y⇩2 - y⇩1) / (x⇩2 - x⇩1)›)
    apply (field (prems) y1 ‹b = 0›)
    apply (insert ab ‹b = 0› ‹x⇩1 ≠ x⇩2› ‹x⇩2 = 0›)
    apply (simp add: nonsingular_def)
    apply simp
    done
qed

lemma opp_add:
  assumes p⇩1: "on_curve a b p⇩1"
  and p⇩2: "on_curve a b p⇩2"
  shows "opp (add a p⇩1 p⇩2) = add a (opp p⇩1) (opp p⇩2)"
proof (cases p⇩1)
  case Infinity
  then show ?thesis by (simp add: add_def opp_def)
next
  case (Point x⇩1 y⇩1)
  show ?thesis
  proof (cases p⇩2)
    case Infinity
    with ‹p⇩1 = Point x⇩1 y⇩1› show ?thesis
      by (simp add: add_def opp_def)
  next
    case (Point x⇩2 y⇩2)
    with ‹p⇩1 = Point x⇩1 y⇩1› p⇩1 p⇩2
    have "x⇩1 ^ 3 + a * x⇩1 + b = y⇩1 ^ 2"
      "x⇩2 ^ 3 + a * x⇩2 + b = y⇩2 ^ 2"
      by (simp_all add: on_curve_def)
    with Point ‹p⇩1 = Point x⇩1 y⇩1› show ?thesis
      apply (cases "x⇩1 = x⇩2")
      apply (cases "y⇩1 = - y⇩2")
      apply (simp add: add_def opp_def Let_def)
      apply (simp add: add_def opp_def Let_def trans [OF minus_equation_iff eq_commute])
      apply (simp add: add_def opp_def Let_def)
      apply (rule conjI)
      apply field
      apply simp
      apply field
      apply simp
      done
  qed
qed

lemma compat_add_opp:
  assumes p⇩1: "on_curve a b p⇩1"
  and p⇩2: "on_curve a b p⇩2"
  and "add a p⇩1 p⇩2 = add a p⇩1 (opp p⇩2)"
  and "p⇩1 ≠ opp p⇩1"
  shows "p⇩2 = opp p⇩2"
  using p⇩1 p⇩2 assms
proof (induct rule: add_case)
  case InfL
  then show ?case by (simp add: add_0_l)
next
  case InfR
  then show ?case by (simp add: opp_def add_0_r)
next
  case (Opp p)
  then have "add a p p = Infinity" by (simp add: opp_opp)
  then have "p = opp p" by (rule uniq_opp)
  with ‹p ≠ opp p› show ?case ..
next
  case (Tan p⇩1 x⇩1 y⇩1 p⇩2 x⇩2 y⇩2 l)
  then have "add a p⇩1 p⇩1 = Infinity"
    by (simp add: add_opp)
  then have "p⇩1 = opp p⇩1" by (rule uniq_opp)
  with ‹p⇩1 ≠ opp p⇩1› show ?case ..
next
  case (Gen p⇩1 x⇩1 y⇩1 p⇩2 x⇩2 y⇩2 p⇩3 x⇩3 y⇩3 l)
  have "(2::'a) * 2 ≠ 0"
    by (simp only: mult_eq_0_iff) simp
  then have "(4::'a) ≠ 0" by simp
  from Gen have "((- y⇩2 - y⇩1) / (x⇩2 - x⇩1)) ^ 2 - x⇩1 - x⇩2 =
    ((y⇩2 - y⇩1) / (x⇩2 - x⇩1)) ^ 2 - x⇩1 - x⇩2"
    by (simp add: add_def opp_def Let_def)
  then show ?case
    apply (field (prems))
    apply (insert ‹p⇩1 ≠ opp p⇩1›
      ‹p⇩1 = Point x⇩1 y⇩1› ‹p⇩2 = Point x⇩2 y⇩2› ‹4 ≠ 0›)[1]
    apply (simp add: opp_def eq_neg_iff_add_eq_0)
    apply (simp add: ‹x⇩1 ≠ x⇩2› [symmetric])
    done
qed

lemma compat_add_triple:
  assumes ab: "nonsingular a b"
  and p: "on_curve a b p"
  and "p ≠ opp p"
  and "add a p p ≠ opp p"
  shows "add a (add a p p) (opp p) = p"
  using add_closed [OF p p] opp_closed [OF p] assms
proof (induct "add a p p" "opp p" rule: add_case)
  case InfL
  from ‹p ≠ opp p› uniq_opp [OF ‹Infinity = add a p p› [symmetric]]
  show ?case ..
next
  case InfR
  then show ?case by (simp add: opp_def split: point.split_asm)
next
  case Opp
  then have "opp (opp (add a p p)) = opp (opp p)" by simp
  then have "add a p p = p" by (simp add: opp_opp)
  with uniq_zero [OF ab p p] ‹p ≠ opp p›
  show ?case by (simp add: opp_def)
next
  case Tan
  then show ?case by simp
next
  case (Gen x⇩1 y⇩1 x⇩2 y⇩2 p⇩3 x⇩3 y⇩3 l)
  from ‹opp p = Point x⇩2 y⇩2›
  have "p = Point x⇩2 (- y⇩2)"
    by (auto simp add: opp_def split: point.split_asm)
  with ‹add a p p = Point x⇩1 y⇩1› [symmetric]
  obtain l' where l':
    "l' = (3 * x⇩2 ^ 2 + a) / (2 * - y⇩2)"
    and xy: "x⇩1 = l' ^ 2 - 2 * x⇩2"
    "y⇩1 = - (- y⇩2) - l' * (x⇩1 - x⇩2)"
    and y2: "- y⇩2 ≠ - (- y⇩2)"
    by (simp add: add_def Let_def split: if_split_asm)
  have "x⇩3 = x⇩2"
    apply (simp add: xy
      ‹l = (y⇩2 - y⇩1) / (x⇩2 - x⇩1)› ‹x⇩3 = l ^ 2 - x⇩1 - x⇩2›)
    apply field
    apply (insert ‹x⇩1 ≠ x⇩2›)
    apply (simp add: xy)
    done
  then have "p⇩3 = p ∨ p⇩3 = opp p"
    by (rule curve_elt_opp [OF ‹p⇩3 = Point x⇩3 y⇩3› ‹p = Point x⇩2 (- y⇩2)›
      add_closed [OF add_closed [OF p p] opp_closed [OF p],
        folded ‹p⇩3 = add a (add a p p) (opp p)›]
     ‹on_curve a b p›])
  then show ?case
  proof
    assume "p⇩3 = p"
    with ‹p⇩3 = add a (add a p p) (opp p)›
    show ?thesis by simp
  next
    assume "p⇩3 = opp p"
    with ‹p⇩3 = add a (add a p p) (opp p)›
    have "add a (add a p p) (opp p) = opp p" by simp
    with ab add_closed [OF p p] opp_closed [OF p]
    have "add a p p = Infinity" by (rule uniq_zero)
    with ‹add a p p = Point x⇩1 y⇩1› show ?thesis by simp
  qed
qed

lemma add_opp_double_opp:
  assumes ab: "nonsingular a b"
  and p⇩1: "on_curve a b p⇩1"
  and p⇩2: "on_curve a b p⇩2"
  and "add a p⇩1 p⇩2 = opp p⇩1"
  shows "p⇩2 = add a (opp p⇩1) (opp p⇩1)"
proof (cases "p⇩1 = opp p⇩1")
  case True
  with assms have "add a p⇩2 p⇩1 = p⇩1" by (simp add: add_comm)
  with ab p⇩2 p⇩1 have "p⇩2 = Infinity" by (rule uniq_zero)
  also from ‹on_curve a b p⇩1› have "… = add a p⇩1 (opp p⇩1)"
    by (simp add: add_opp)
  also from True have "… = add a (opp p⇩1) (opp p⇩1)" by simp
  finally show ?thesis .
next
  case False
  from p⇩1 p⇩2 False assms show ?thesis
  proof (induct rule: add_case)
    case InfL
    then show ?case by simp
  next
    case InfR
    then show ?case by simp
  next
    case Opp
    then show ?case by (simp add: add_0_l)
  next
    case (Tan p⇩1 x⇩1 y⇩1 p⇩2 x⇩2 y⇩2 l)
    from ‹p⇩2 = opp p⇩1› ‹on_curve a b p⇩1›
    have "p⇩1 = opp p⇩2" by (simp add: opp_opp)
    also note ‹p⇩2 = add a p⇩1 p⇩1›
    finally show ?case using ‹on_curve a b p⇩1›
      by (simp add: opp_add)
  next
    case (Gen p⇩1 x⇩1 y⇩1 p⇩2 x⇩2 y⇩2 p⇩3 x⇩3 y⇩3 l)
    from ‹on_curve a b p⇩1› ‹p⇩1 = Point x⇩1 y⇩1›
    have y⇩1: "y⇩1 ^ 2 = x⇩1 ^ 3 + a * x⇩1 + b"
      by (simp add: on_curve_def)
    from ‹on_curve a b p⇩2› ‹p⇩2 = Point x⇩2 y⇩2›
    have y⇩2: "y⇩2 ^ 2 = x⇩2 ^ 3 + a * x⇩2 + b"
      by (simp add: on_curve_def)
    from ‹p⇩1 = Point x⇩1 y⇩1› ‹p⇩1 ≠ opp p⇩1›
    have "y⇩1 ≠ 0"
      by (simp add: opp_Point)
    from Gen have "x⇩1 = ((y⇩2 - y⇩1) / (x⇩2 - x⇩1)) ^ 2 - x⇩1 - x⇩2"
      by (simp add: opp_Point)
    then have "2 * y⇩2 * y⇩1 = a * x⇩2 + 3 * x⇩2 * x⇩1 ^ 2 + a * x⇩1 -
      x⇩1 ^ 3 + 2 * b"
      apply (field (prems) y⇩1 y⇩2)
      apply (field y⇩1 y⇩2)
      apply simp
      apply (simp add: ‹x⇩1 ≠ x⇩2› [symmetric])
      done
    then have "(x⇩2 - (((3 * x⇩1 ^ 2 + a) / (2 * (- y⇩1))) ^ 2 -
      2 * x⇩1)) * (x⇩2 - x⇩1) ^ 2 = 0"
      apply (drule_tac f="λx. x ^ 2" in arg_cong)
      apply (field (prems) y⇩1 y⇩2)
      apply (field y⇩1 y⇩2)
      apply (simp_all add: ‹y⇩1 ≠ 0›)
      done
    with ‹x⇩1 ≠ x⇩2›
    have "x⇩2 = ((3 * x⇩1 ^ 2 + a) / (2 * (- y⇩1))) ^ 2 - 2 * x⇩1"
      by simp
    with ‹p⇩2 = Point x⇩2 y⇩2› _ ‹on_curve a b p⇩2›
      add_closed [OF
        opp_closed [OF ‹on_curve a b p⇩1›] opp_closed [OF ‹on_curve a b p⇩1›]]
    have "p⇩2 = add a (opp p⇩1) (opp p⇩1) ∨ p⇩2 = opp (add a (opp p⇩1) (opp p⇩1))"
      apply (rule curve_elt_opp)
      apply (simp add: add_def opp_Point Let_def ‹p⇩1 = Point x⇩1 y⇩1› ‹y⇩1 ≠ 0›)
      done
    then show ?case
    proof
      assume "p⇩2 = opp (add a (opp p⇩1) (opp p⇩1))"
      with ‹on_curve a b p⇩1›
      have "p⇩2 = add a p⇩1 p⇩1"
        by (simp add: opp_add [of a b] opp_opp opp_closed)
      show ?case
      proof (cases "add a p⇩1 p⇩1 = opp p⇩1")
        case True
        from ‹on_curve a b p⇩1›
        show ?thesis
          apply (simp add: opp_add [symmetric] ‹p⇩2 = add a p⇩1 p⇩1› True)
          apply (simp add: ‹p⇩3 = add a p⇩1 p⇩2› [simplified ‹p⇩3 = opp p⇩1›])
          apply (simp add: ‹p⇩2 = add a p⇩1 p⇩1› True add_opp)
          done
      next
        case False
        from ‹on_curve a b p⇩1›
        have "add a p⇩1 (opp p⇩2) = opp (add a (add a p⇩1 p⇩1) (opp p⇩1))"
          by (simp add: ‹p⇩2 = add a p⇩1 p⇩1›
            opp_add [of a b] add_closed opp_closed opp_opp add_comm [of a b])
        with ab ‹on_curve a b p⇩1› ‹p⇩1 ≠ opp p⇩1› False
        have "add a p⇩1 (opp p⇩2) = opp p⇩1"
          by (simp add: compat_add_triple)
        with ‹p⇩3 = add a p⇩1 p⇩2› ‹p⇩3 = opp p⇩1›
        have "add a p⇩1 p⇩2 = add a p⇩1 (opp p⇩2)" by simp
        with ‹on_curve a b p⇩1› ‹on_curve a b p⇩2›
        have "p⇩2 = opp p⇩2" using ‹p⇩1 ≠ opp p⇩1›
          by (rule compat_add_opp)
        with ‹on_curve a b p⇩1› ‹p⇩2 = add a p⇩1 p⇩1›
        show ?thesis by (simp add: opp_add)
      qed
    qed
  qed
qed

lemma cancel:
  assumes ab: "nonsingular a b"
  and p⇩1: "on_curve a b p⇩1"
  and p⇩2: "on_curve a b p⇩2"
  and p⇩3: "on_curve a b p⇩3"
  and eq: "add a p⇩1 p⇩2 = add a p⇩1 p⇩3"
  shows "p⇩2 = p⇩3"
  using p⇩1 p⇩2 p⇩1 p⇩2 eq
proof (induct rule: add_casew)
  case InfL
  then show ?case by (simp add: add_0_l)
next
  case (InfR p)
  with p⇩3 have "add a p⇩3 p = p" by (simp add: add_comm)
  with ab p⇩3 ‹on_curve a b p›
  show ?case by (rule uniq_zero [symmetric])
next
  case (Opp p)
  from ‹Infinity = add a p p⇩3› [symmetric]
  show ?case by (rule uniq_opp [symmetric])
next
  case (Gen p⇩1 x⇩1 y⇩1 p⇩2 x⇩2 y⇩2 p⇩4 x⇩4 y⇩4 l)
  from ‹on_curve a b p⇩1› p⇩3 ‹on_curve a b p⇩1› p⇩3 ‹p⇩1 = Point x⇩1 y⇩1›
    ‹p⇩4 = add a p⇩1 p⇩2› ‹p⇩4 = add a p⇩1 p⇩3› ‹p⇩1 ≠ opp p⇩2›
  show ?case
  proof (induct rule: add_casew)
    case InfL
    then show ?case by (simp add: add_0_l)
  next
    case (InfR p)
    with ‹on_curve a b p⇩2›
    have "add a p⇩2 p = p" by (simp add: add_comm)
    with ab ‹on_curve a b p⇩2› ‹on_curve a b p›
    show ?case by (rule uniq_zero)
  next
    case (Opp p)
    then have "add a p p⇩2 = Infinity" by simp
    then show ?case by (rule uniq_opp)
  next
    case (Gen p⇩1 x⇩1' y⇩1' p⇩3 x⇩3 y⇩3 p⇩5 x⇩5 y⇩5 l')
    from ‹p⇩4 = p⇩5› ‹p⇩4 = Point x⇩4 y⇩4› ‹p⇩5 = Point x⇩5 y⇩5›
      ‹p⇩1 = Point x⇩1' y⇩1'› ‹p⇩1 = Point x⇩1 y⇩1›
      ‹y⇩4 = - y⇩1 - l * (x⇩4 - x⇩1)› ‹y⇩5 = - y⇩1' - l' * (x⇩5 - x⇩1')›
    have "0 = - y⇩1 - l * (x⇩4 - x⇩1) - (- y⇩1 - l' * (x⇩4 - x⇩1))"
      by auto
    then have "l' = l ∨ x⇩4 = x⇩1" by auto
    then show ?case
    proof
      assume "l' = l"
      with ‹p⇩4 = p⇩5› ‹p⇩4 = Point x⇩4 y⇩4› ‹p⇩5 = Point x⇩5 y⇩5›
        ‹p⇩1 = Point x⇩1' y⇩1'› ‹p⇩1 = Point x⇩1 y⇩1›
        ‹x⇩4 = l ^ 2 - x⇩1 - x⇩2› ‹x⇩5 = l' ^ 2 - x⇩1' - x⇩3›
      have "0 = l ^ 2 - x⇩1 - x⇩2 - (l ^ 2 - x⇩1 - x⇩3)"
        by simp
      then have "x⇩2 = x⇩3" by simp
      with ‹p⇩2 = Point x⇩2 y⇩2› ‹p⇩3 = Point x⇩3 y⇩3› ‹on_curve a b p⇩2› ‹on_curve a b p⇩3›
      have "p⇩2 = p⇩3 ∨ p⇩2 = opp p⇩3" by (rule curve_elt_opp)
      then show ?case
      proof
        assume "p⇩2 = opp p⇩3"
        with ‹on_curve a b p⇩3› have "opp p⇩2 = p⇩3"
          by (simp add: opp_opp)
        with ‹p⇩4 = p⇩5› ‹p⇩4 = add a p⇩1 p⇩2› ‹p⇩5 = add a p⇩1 p⇩3›
        have "add a p⇩1 p⇩2 = add a p⇩1 (opp p⇩2)" by simp
        show ?case
        proof (cases "p⇩1 = opp p⇩1")
          case True
          with ‹p⇩1 ≠ opp p⇩2› ‹p⇩1 ≠ opp p⇩3›
          have "p⇩1 ≠ p⇩2" "p⇩1 ≠ p⇩3" by auto
          with ‹l' = l› ‹x⇩1 = x⇩2 ∧ _∨ _› ‹x⇩1' = x⇩3 ∧ _ ∨ _›
            ‹p⇩1 = Point x⇩1 y⇩1› ‹p⇩1 = Point x⇩1' y⇩1'›
            ‹p⇩2 = Point x⇩2 y⇩2› ‹p⇩3 = Point x⇩3 y⇩3›
            ‹p⇩2 = opp p⇩3›
          have eq: "(y⇩2 - y⇩1) / (x⇩2 - x⇩1) = (y⇩3 - y⇩1) / (x⇩2 - x⇩1)" and "x⇩1 ≠ x⇩2"
            by (auto simp add: opp_Point)
          from eq have "y⇩2 = y⇩3"
            apply (field (prems))
            apply (simp_all add: ‹x⇩1 ≠ x⇩2› [symmetric])
            done
          with ‹p⇩2 = opp p⇩3› ‹p⇩2 = Point x⇩2 y⇩2› ‹p⇩3 = Point x⇩3 y⇩3›
          show ?thesis by (simp add: opp_Point)
        next
          case False
          with ‹on_curve a b p⇩1› ‹on_curve a b p⇩2›
            ‹add a p⇩1 p⇩2 = add a p⇩1 (opp p⇩2)›
          have "p⇩2 = opp p⇩2" by (rule compat_add_opp)
          with ‹opp p⇩2 = p⇩3› show ?thesis by simp
        qed
      qed
    next
      assume "x⇩4 = x⇩1"
      with ‹p⇩4 = Point x⇩4 y⇩4› [simplified ‹p⇩4 = add a p⇩1 p⇩2›]
        ‹p⇩1 = Point x⇩1 y⇩1›
        add_closed [OF ‹on_curve a b p⇩1› ‹on_curve a b p⇩2›]
        ‹on_curve a b p⇩1›
      have "add a p⇩1 p⇩2 = p⇩1 ∨ add a p⇩1 p⇩2 = opp p⇩1" by (rule curve_elt_opp)
      then show ?case
      proof
        assume "add a p⇩1 p⇩2 = p⇩1"
        with ‹on_curve a b p⇩1› ‹on_curve a b p⇩2›
        have "add a p⇩2 p⇩1 = p⇩1" by (simp add: add_comm)
        with ab ‹on_curve a b p⇩2› ‹on_curve a b p⇩1›
        have "p⇩2 = Infinity" by (rule uniq_zero)
        moreover from ‹add a p⇩1 p⇩2 = p⇩1›
          ‹p⇩4 = p⇩5› ‹p⇩4 = add a p⇩1 p⇩2› ‹p⇩5 = add a p⇩1 p⇩3›
          ‹on_curve a b p⇩1› ‹on_curve a b p⇩3›
        have "add a p⇩3 p⇩1 = p⇩1" by (simp add: add_comm)
        with ab ‹on_curve a b p⇩3› ‹on_curve a b p⇩1›
        have "p⇩3 = Infinity" by (rule uniq_zero)
        ultimately show ?case by simp
      next
        assume "add a p⇩1 p⇩2 = opp p⇩1"
        with ab ‹on_curve a b p⇩1› ‹on_curve a b p⇩2›
        have "p⇩2 = add a (opp p⇩1) (opp p⇩1)" by (rule add_opp_double_opp)
        moreover from ‹add a p⇩1 p⇩2 = opp p⇩1›
          ‹p⇩4 = p⇩5› ‹p⇩4 = add a p⇩1 p⇩2› ‹p⇩5 = add a p⇩1 p⇩3›
        have "add a p⇩1 p⇩3 = opp p⇩1" by simp
        with ab ‹on_curve a b p⇩1› ‹on_curve a b p⇩3›
        have "p⇩3 = add a (opp p⇩1) (opp p⇩1)" by (rule add_opp_double_opp)
        ultimately show ?case by simp
      qed
    qed
  qed
qed

lemma add_minus_id:
  assumes ab: "nonsingular a b"
  and p⇩1: "on_curve a b p⇩1"
  and p⇩2: "on_curve a b p⇩2"
  shows "add a (add a p⇩1 p⇩2) (opp p⇩2) = p⇩1"
proof (cases "add a p⇩1 p⇩2 = opp p⇩2")
  case True
  then have "add a (add a p⇩1 p⇩2) (opp p⇩2) = add a (opp p⇩2) (opp p⇩2)"
    by simp
  also from p⇩1 p⇩2 True have "add a p⇩2 p⇩1 = opp p⇩2"
    by (simp add: add_comm)
  with ab p⇩2 p⇩1 have "add a (opp p⇩2) (opp p⇩2) = p⇩1"
    by (rule add_opp_double_opp [symmetric])
  finally show ?thesis .
next
  case False
  from p⇩1 p⇩2 p⇩1 p⇩2 False show ?thesis
  proof (induct rule: add_case)
    case InfL
    then show ?case by (simp add: add_opp)
  next
    case InfR
    show ?case by (simp add: add_0_r)
  next
    case Opp
    then show ?case by (simp add: opp_opp add_0_l)
  next
    case (Tan p⇩1 x⇩1 y⇩1 p⇩2 x⇩2 y⇩2 l)
    note ab ‹on_curve a b p⇩1›
    moreover from ‹y⇩1 ≠ 0› ‹p⇩1 = Point x⇩1 y⇩1›
    have "p⇩1 ≠ opp p⇩1" by (simp add: opp_Point)
    moreover from ‹p⇩2 = add a p⇩1 p⇩1› ‹p⇩2 ≠ opp p⇩1›
    have "add a p⇩1 p⇩1 ≠ opp p⇩1" by simp
    ultimately have "add a (add a p⇩1 p⇩1) (opp p⇩1) = p⇩1"
      by (rule compat_add_triple)
    with ‹p⇩2 = add a p⇩1 p⇩1› show ?case by simp
  next
    case (Gen p⇩1 x⇩1 y⇩1 p⇩2 x⇩2 y⇩2 p⇩3 x⇩3 y⇩3 l)
    from ‹p⇩3 = add a p⇩1 p⇩2› ‹on_curve a b p⇩2›
    have "p⇩3 = add a p⇩1 (opp (opp p⇩2))" by (simp add: opp_opp)
    with
      add_closed [OF ‹on_curve a b p⇩1› ‹on_curve a b p⇩2›,
        folded ‹p⇩3 = add a p⇩1 p⇩2›]
      opp_closed [OF ‹on_curve a b p⇩2›]
      opp_closed [OF ‹on_curve a b p⇩2›]
      opp_opp [of p⇩2]
      Gen
    show ?case
    proof (induct rule: add_case)
      case InfL
      then show ?case by simp
    next
      case InfR
      then show ?case by (simp add: add_0_r)
    next
      case (Opp p)
      from ‹p = add a p⇩1 (opp (opp p))›
      have "add a p⇩1 p = p" by (simp add: opp_opp)
      with ab ‹on_curve a b p⇩1› ‹on_curve a b p›
      show ?case by (rule uniq_zero [symmetric])
    next
      case Tan
      then show ?case by simp
    next
      case (Gen p⇩4 x⇩4 y⇩4 p⇩5 x⇩5 y⇩5 p⇩6 x⇩6 y⇩6 l')
      from ‹on_curve a b p⇩5› ‹opp p⇩5 = p⇩2›
        ‹p⇩2 = Point x⇩2 y⇩2› ‹p⇩5 = Point x⇩5 y⇩5›
      have "y⇩5 = - y⇩2" "x⇩5 = x⇩2"
        by (auto simp add: opp_Point on_curve_def)
      from ‹p⇩4 = Point x⇩3 y⇩3› ‹p⇩4 = Point x⇩4 y⇩4›
      have "x⇩4 = x⇩3" "y⇩4 = y⇩3" by simp_all
      from ‹x⇩4 ≠ x⇩5› show ?case
        apply (simp add:
          ‹y⇩5 = - y⇩2› ‹x⇩5 = x⇩2›
          ‹x⇩4 = x⇩3› ‹y⇩4 = y⇩3›
          ‹p⇩6 = Point x⇩6 y⇩6› ‹p⇩1 = Point x⇩1 y⇩1›
          ‹x⇩6 = l' ^ 2 - x⇩4 - x⇩5› ‹y⇩6 = - y⇩4 - l' * (x⇩6 - x⇩4)›
          ‹l' = (y⇩5 - y⇩4) / (x⇩5 - x⇩4)›
          ‹x⇩3 = l ^ 2 - x⇩1 - x⇩2› ‹y⇩3 = - y⇩1 - l * (x⇩3 - x⇩1)›
          ‹l = (y⇩2 - y⇩1) / (x⇩2 - x⇩1)›)
        apply (rule conjI)
        apply field
        apply (rule conjI)
        apply (rule notI)
        apply (erule notE)
        apply (ring (prems))
        apply (rule sym)
        apply field
        apply (simp_all add: ‹x⇩1 ≠ x⇩2› [symmetric])
        apply field
        apply (rule conjI)
        apply (rule notI)
        apply (erule notE)
        apply (ring (prems))
        apply (rule sym)
        apply field
        apply (simp_all add: ‹x⇩1 ≠ x⇩2› [symmetric])
        done
    qed
  qed
qed

lemma add_shift_minus:
  assumes ab: "nonsingular a b"
  and p⇩1: "on_curve a b p⇩1"
  and p⇩2: "on_curve a b p⇩2"
  and p⇩3: "on_curve a b p⇩3"
  and eq: "add a p⇩1 p⇩2 = p⇩3"
  shows "p⇩1 = add a p⇩3 (opp p⇩2)"
proof -
  note eq
  also from add_minus_id [OF ab p⇩3 opp_closed [OF p⇩2]] p⇩2
  have "p⇩3 = add a (add a p⇩3 (opp p⇩2)) p⇩2" by (simp add: opp_opp)
  finally have "add a p⇩2 p⇩1 = add a p⇩2 (add a p⇩3 (opp p⇩2))"
    using p⇩1 p⇩2 p⇩3
    by (simp add: add_comm [of a b] add_closed opp_closed)
  with ab p⇩2 p⇩1 add_closed [OF p⇩3 opp_closed [OF p⇩2]]
  show ?thesis by (rule cancel)
qed

lemma degen_assoc:
  assumes ab: "nonsingular a b"
  and p⇩1: "on_curve a b p⇩1"
  and p⇩2: "on_curve a b p⇩2"
  and p⇩3: "on_curve a b p⇩3"
  and H:
    "(p⇩1 = Infinity ∨ p⇩2 = Infinity ∨ p⇩3 = Infinity) ∨
     (p⇩1 = opp p⇩2 ∨ p⇩2 = opp p⇩3) ∨
     (opp p⇩1 = add a p⇩2 p⇩3 ∨ opp p⇩3 = add a p⇩1 p⇩2)"
  shows "add a p⇩1 (add a p⇩2 p⇩3) = add a (add a p⇩1 p⇩2) p⇩3"
  using H
proof (elim disjE)
  assume "p⇩1 = Infinity"
  then show ?thesis by (simp add: add_0_l)
next
  assume "p⇩2 = Infinity"
  then show ?thesis by (simp add: add_0_l add_0_r)
next
  assume "p⇩3 = Infinity"
  then show ?thesis by (simp add: add_0_r)
next
  assume "p⇩1 = opp p⇩2"
  from p⇩2 p⇩3
  have "add a (opp p⇩2) (add a p⇩2 p⇩3) = add a (add a p⇩3 p⇩2) (opp p⇩2)"
    by (simp add: add_comm [of a b] add_closed opp_closed)
  also from ab p⇩3 p⇩2 have "… = p⇩3" by (rule add_minus_id)
  also have "… = add a Infinity p⇩3" by (simp add: add_0_l)
  also from p⇩2 have "… = add a (add a p⇩2 (opp p⇩2)) p⇩3"
    by (simp add: add_opp)
  also from p⇩2 have "… = add a (add a (opp p⇩2) p⇩2) p⇩3"
    by (simp add: add_comm [of a b] opp_closed)
  finally show ?thesis using ‹p⇩1 = opp p⇩2› by simp
next
  assume "p⇩2 = opp p⇩3"
  from p⇩3
  have "add a p⇩1 (add a (opp p⇩3) p⇩3) = add a p⇩1 (add a p⇩3 (opp p⇩3))"
    by (simp add: add_comm [of a b] opp_closed)
  also from ab p⇩1 p⇩3
  have "… = add a (add a p⇩1 (opp p⇩3)) (opp (opp p⇩3))"
    by (simp add: add_opp add_minus_id add_0_r opp_closed)
  finally show ?thesis using p⇩3 ‹p⇩2 = opp p⇩3›
    by (simp add: opp_opp)
next
  assume eq: "opp p⇩1 = add a p⇩2 p⇩3"
  from eq [symmetric] p⇩1
  have "add a p⇩1 (add a p⇩2 p⇩3) = Infinity" by (simp add: add_opp)
  also from p⇩3 have "… = add a p⇩3 (opp p⇩3)" by (simp add: add_opp)
  also from p⇩3 have "… = add a (opp p⇩3) p⇩3"
    by (simp add: add_comm [of a b] opp_closed)
  also from ab p⇩2 p⇩3
  have "… = add a (add a (add a (opp p⇩3) (opp p⇩2)) (opp (opp p⇩2))) p⇩3"
    by (simp add: add_minus_id opp_closed)
  also from p⇩2 p⇩3
  have "… = add a (add a (add a (opp p⇩2) (opp p⇩3)) p⇩2) p⇩3"
    by (simp add: add_comm [of a b] opp_opp opp_closed)
  finally show ?thesis
    using opp_add [OF p⇩2 p⇩3] eq [symmetric] p⇩1
    by (simp add: opp_opp)
next
  assume eq: "opp p⇩3 = add a p⇩1 p⇩2"
  from opp_add [OF p⇩1 p⇩2] eq [symmetric] p⇩3
  have "add a p⇩1 (add a p⇩2 p⇩3) = add a p⇩1 (add a p⇩2 (add a (opp p⇩1) (opp p⇩2)))"
    by (simp add: opp_opp)
  also from p⇩1 p⇩2
  have "… = add a p⇩1 (add a (add a (opp p⇩1) (opp p⇩2)) (opp (opp p⇩2)))"
    by (simp add: add_comm [of a b] opp_opp add_closed opp_closed)
  also from ab p⇩1 p⇩2 have "… = Infinity"
    by (simp add: add_minus_id add_opp opp_closed)
  also from p⇩3 have "… = add a p⇩3 (opp p⇩3)" by (simp add: add_opp)
  also from p⇩3 have "… = add a (opp p⇩3) p⇩3"
    by (simp add: add_comm [of a b] opp_closed)
  finally show ?thesis using eq [symmetric] by simp
qed

lemma spec4_assoc:
  assumes ab: "nonsingular a b"
  and p⇩1: "on_curve a b p⇩1"
  and p⇩2: "on_curve a b p⇩2"
  shows "add a p⇩1 (add a p⇩2 p⇩2) = add a (add a p⇩1 p⇩2) p⇩2"
proof (cases "p⇩1 = Infinity")
  case True
  from ab p⇩1 p⇩2 p⇩2
  show ?thesis by (rule degen_assoc) (simp add: True)
next
  case False
  show ?thesis
  proof (cases "p⇩2 = Infinity")
    case True
    from ab p⇩1 p⇩2 p⇩2
    show ?thesis by (rule degen_assoc) (simp add: True)
  next
    case False
    show ?thesis
    proof (cases "p⇩2 = opp p⇩2")
      case True
      from ab p⇩1 p⇩2 p⇩2
      show ?thesis by (rule degen_assoc) (simp add: True [symmetric])
    next
      case False
      show ?thesis
      proof (cases "p⇩1 = opp p⇩2")
        case True
        from ab p⇩1 p⇩2 p⇩2
        show ?thesis by (rule degen_assoc) (simp add: True)
      next
        case False
        show ?thesis
        proof (cases "opp p⇩1 = add a p⇩2 p⇩2")
          case True
          from ab p⇩1 p⇩2 p⇩2
          show ?thesis by (rule degen_assoc) (simp add: True)
        next
          case False
          show ?thesis
          proof (cases "opp p⇩2 = add a p⇩1 p⇩2")
            case True
            from ab p⇩1 p⇩2 p⇩2
            show ?thesis by (rule degen_assoc) (simp add: True)
          next
            case False
            show ?thesis
            proof (cases "p⇩1 = add a p⇩2 p⇩2")
              case True
              from p⇩1 p⇩2 ‹p⇩1 ≠ opp p⇩2› ‹p⇩2 ≠ opp p⇩2›
                ‹opp p⇩1 ≠ add a p⇩2 p⇩2› ‹opp p⇩2 ≠ add a p⇩1 p⇩2›
                ‹p⇩1 ≠ Infinity› ‹p⇩2 ≠ Infinity›
              show ?thesis
                apply (simp add: True)
                apply (rule spec3_assoc)
                apply (simp_all add: is_generic_def is_tangent_def)
                apply (rule notI)
                apply (drule uniq_zero [OF ab p⇩2 p⇩2])
                apply simp
                apply (intro conjI notI)
                apply (erule notE)
                apply (rule uniq_opp [of a])
                apply (simp add: add_comm [of a b] add_closed)
                apply (erule notE)
                apply (drule uniq_zero [OF ab add_closed [OF p⇩2 p⇩2] p⇩2])
                apply simp
                done
            next
              case False
              show ?thesis
              proof (cases "p⇩2 = add a p⇩1 p⇩2")
                case True
                from ab p⇩1 p⇩2 True [symmetric]
                have "p⇩1 = Infinity" by (rule uniq_zero)
                then show ?thesis by (simp add: add_0_l)
              next
                case False
                show ?thesis
                proof (cases "p⇩1 = p⇩2")
                  case True
                  with p⇩2 show ?thesis
                    by (simp add: add_comm [of a b] add_closed)
                next
                  case False
                  with p⇩1 p⇩2 ‹p⇩1 ≠ Infinity› ‹p⇩2 ≠ Infinity›
                    ‹p⇩1 ≠ opp p⇩2› ‹p⇩2 ≠ opp p⇩2›
                    ‹p⇩1 ≠ add a p⇩2 p⇩2› ‹p⇩2 ≠ add a p⇩1 p⇩2› ‹opp p⇩2 ≠ add a p⇩1 p⇩2›
                  show ?thesis
                    apply (rule_tac spec2_assoc)
                    apply (simp_all add: is_generic_def is_tangent_def)
                    apply (rule notI)
                    apply (erule notE [of "p⇩1 = opp p⇩2"])
                    apply (rule uniq_opp [of a])
                    apply (simp add: add_comm)
                    apply (intro conjI notI)
                    apply (erule notE [of "p⇩2 = opp p⇩2"])
                    apply (rule uniq_opp)
                    apply assumption+
                    apply (rule notE [OF ‹opp p⇩1 ≠ add a p⇩2 p⇩2›])
                    apply (simp add: opp_opp)
                    done
                qed
              qed
            qed
          qed
        qed
      qed
    qed
  qed
qed

lemma add_assoc:
  assumes ab: "nonsingular a b"
  and p⇩1: "on_curve a b p⇩1"
  and p⇩2: "on_curve a b p⇩2"
  and p⇩3: "on_curve a b p⇩3"
  shows "add a p⇩1 (add a p⇩2 p⇩3) = add a (add a p⇩1 p⇩2) p⇩3"
proof (cases "p⇩1 = Infinity")
  case True
  from ab p⇩1 p⇩2 p⇩3
  show ?thesis by (rule degen_assoc) (simp add: True)
next
  case False
  show ?thesis
  proof (cases "p⇩2 = Infinity")
    case True
    from ab p⇩1 p⇩2 p⇩3
    show ?thesis by (rule degen_assoc) (simp add: True)
  next
    case False
    show ?thesis
    proof (cases "p⇩3 = Infinity")
      case True
      from ab p⇩1 p⇩2 p⇩3
      show ?thesis by (rule degen_assoc) (simp add: True)
    next
      case False
      show ?thesis
      proof (cases "p⇩1 = p⇩2")
        case True
        from p⇩2 p⇩3
        have "add a p⇩2 (add a p⇩2 p⇩3) = add a (add a p⇩3 p⇩2) p⇩2"
          by (simp add: add_comm [of a b] add_closed)
        also from ab p⇩3 p⇩2 have "… = add a p⇩3 (add a p⇩2 p⇩2)"
          by (simp add: spec4_assoc)
        also from p⇩2 p⇩3
        have "… = add a (add a p⇩2 p⇩2) p⇩3"
          by (simp add: add_comm [of a b] add_closed)
        finally show ?thesis using True by simp
      next
        case False
        show ?thesis
        proof (cases "p⇩1 = opp p⇩2")
          case True
          from ab p⇩1 p⇩2 p⇩3
          show ?thesis by (rule degen_assoc) (simp add: True)
        next
          case False
          show ?thesis
          proof (cases "p⇩2 = p⇩3")
            case True
            with ab p⇩1 p⇩3 show ?thesis
              by (simp add: spec4_assoc)
          next
            case False
            show ?thesis
            proof (cases "p⇩2 = opp p⇩3")
              case True
              from ab p⇩1 p⇩2 p⇩3
              show ?thesis by (rule degen_assoc) (simp add: True)
            next
              case False
              show ?thesis
              proof (cases "opp p⇩1 = add a p⇩2 p⇩3")
                case True
                from ab p⇩1 p⇩2 p⇩3
                show ?thesis by (rule degen_assoc) (simp add: True)
              next
                case False
                show ?thesis
                proof (cases "opp p⇩3 = add a p⇩1 p⇩2")
                  case True
                  from ab p⇩1 p⇩2 p⇩3
                  show ?thesis by (rule degen_assoc) (simp add: True)
                next
                  case False
                  show ?thesis
                  proof (cases "p⇩1 = add a p⇩2 p⇩3")
                    case True
                    with ab p⇩2 p⇩3 show ?thesis
                      apply simp
                      apply (rule cancel [OF ab opp_closed [OF p⇩3]])
                      apply (simp_all add: add_closed)
                      apply (simp add: spec4_assoc add_closed opp_closed)
                      apply (simp add: add_comm [of a b "opp p⇩3"]
                        add_closed opp_closed add_minus_id)
                      apply (simp add: add_comm [of a b] add_closed)
                      done
                  next
                    case False
                    show ?thesis
                    proof (cases "p⇩3 = add a p⇩1 p⇩2")
                      case True
                      with ab p⇩1 p⇩2 show ?thesis
                        apply simp
                        apply (rule cancel [OF ab opp_closed [OF p⇩1]])
                        apply (simp_all add: add_closed)
                        apply (simp add: spec4_assoc add_closed opp_closed)
                        apply (simp add: add_comm [of a b "opp p⇩1"] add_comm [of a b p⇩1]
                          add_closed opp_closed add_minus_id)
                        done
                    next
                      case False
                      with p⇩1 p⇩2 p⇩3
                        ‹p⇩1 ≠ Infinity› ‹p⇩2 ≠ Infinity› ‹p⇩3 ≠ Infinity›
                        ‹p⇩1 ≠ p⇩2› ‹p⇩1 ≠ opp p⇩2› ‹p⇩2 ≠ p⇩3› ‹p⇩2 ≠ opp p⇩3›
                        ‹opp p⇩3 ≠ add a p⇩1 p⇩2› ‹p⇩1 ≠ add a p⇩2 p⇩3›
                      show ?thesis
                        apply (rule_tac spec1_assoc [of a b])
                        apply (simp_all add: is_generic_def)
                        apply (rule notI)
                        apply (erule notE [of "p⇩1 = opp p⇩2"])
                        apply (rule uniq_opp [of a])
                        apply (simp add: add_comm)
                        apply (intro conjI notI)
                        apply (erule notE [of "p⇩2 = opp p⇩3"])
                        apply (rule uniq_opp [of a])
                        apply (simp add: add_comm)
                        apply (rule notE [OF ‹opp p⇩1 ≠ add a p⇩2 p⇩3›])
                        apply (simp add: opp_opp)
                        done
                    qed
                  qed
                qed
              qed
            qed
          qed
        qed
      qed
    qed
  qed
qed
  
lemma add_comm':
  "nonsingular a b ⟹
   on_curve a b p⇩1 ⟹ on_curve a b p⇩2 ⟹ on_curve a b p⇩3 ⟹
   add a p⇩2 (add a p⇩1 p⇩3) = add a p⇩1 (add a p⇩2 p⇩3)"
   by (simp add: add_assoc add_comm)

primrec (in ell_field) point_mult :: "'a ⇒ nat ⇒ 'a point ⇒ 'a point"
where
    "point_mult a 0 p = Infinity"
  | "point_mult a (Suc n) p = add a p (point_mult a n p)"

lemma point_mult_closed: "on_curve a b p ⟹ on_curve a b (point_mult a n p)"
  by (induct n) (simp_all add: add_closed)

lemma point_mult_add:
  "on_curve a b p ⟹ nonsingular a b ⟹
   point_mult a (m + n) p = add a (point_mult a m p) (point_mult a n p)"
  by (induct m) (simp_all add: add_assoc point_mult_closed add_0_l)

lemma point_mult_mult:
  "on_curve a b p ⟹ nonsingular a b ⟹
   point_mult a (m * n) p = point_mult a n (point_mult a m p)"
   by (induct n) (simp_all add: point_mult_add)

lemma point_mult2_eq_double:
  "point_mult a 2 p = add a p p"
  by (simp add: numeral_2_eq_2 add_0_r)

subsection ‹Projective Coordinates›

type_synonym 'a ppoint = "'a × 'a × 'a"

context ell_field begin

definition pdouble :: "'a ⇒ 'a ppoint ⇒ 'a ppoint" where
  "pdouble a p =
     (let (x, y, z) = p
      in
        if z = 0 then p
        else
          let
            l = 2 * y * z;
            m = 3 * x ^ 2 + a * z ^ 2
          in
            (l * (m ^ 2 - 4 * x * y * l),
             m * (6 * x * y * l - m ^ 2) -
             2 * y ^ 2 * l ^ 2,
             l ^ 3))"

definition padd :: "'a ⇒ 'a ppoint ⇒ 'a ppoint ⇒ 'a ppoint" where
  "padd a p⇩1 p⇩2 =
     (let
        (x⇩1, y⇩1, z⇩1) = p⇩1;
        (x⇩2, y⇩2, z⇩2) = p⇩2
      in
        if z⇩1 = 0 then p⇩2
        else if z⇩2 = 0 then p⇩1
        else
          let
            d⇩1 = x⇩2 * z⇩1;
            d⇩2 = x⇩1 * z⇩2;
            l = d⇩1 - d⇩2;
            m = y⇩2 * z⇩1 - y⇩1 * z⇩2
          in
            if l = 0 then
              if m = 0 then pdouble a p⇩1
              else (0, 0, 0)
            else
              let h = m ^ 2 * z⇩1 * z⇩2 - (d⇩1 + d⇩2) * l ^ 2
              in
                (l * h,
                 (d⇩2 * l ^ 2 - h) * m - l ^ 3 * y⇩1 * z⇩2,
                 l ^ 3 * z⇩1 * z⇩2))"

definition make_affine :: "'a ppoint ⇒ 'a point" where
  "make_affine p =
     (let (x, y, z) = p
      in if z = 0 then Infinity else Point (x / z) (y / z))"

definition on_curvep :: "'a ⇒ 'a ⇒ 'a ppoint ⇒ bool" where
  "on_curvep a b = (λ(x, y, z). z ≠ 0 ⟶
     y ^ 2 * z = x ^ 3 + a * x * z ^ 2 + b * z ^ 3)"

end

lemma on_curvep_infinity [simp]: "on_curvep a b (x, y, 0)"
  by (simp add: on_curvep_def)

lemma make_affine_infinity [simp]: "make_affine (x, y, 0) = Infinity"
  by (simp add: make_affine_def)

lemma on_curvep_iff_on_curve:
  "on_curvep a b p = on_curve a b (make_affine p)"
proof (induct p rule: prod_induct3)
  case (fields x y z)
  show "on_curvep a b (x, y, z) = on_curve a b (make_affine (x, y, z))"
  proof
    assume H: "on_curvep a b (x, y, z)"
    then have yz: "z ≠ 0 ⟹ y ^ 2 * z = x ^ 3 + a * x * z ^ 2 + b * z ^ 3"
      by (simp_all add: on_curvep_def)
    show "on_curve a b (make_affine (x, y, z))"
    proof (cases "z = 0")
      case True
      then show ?thesis by (simp add: on_curve_def make_affine_def)
    next
      case False
      then show ?thesis
        apply (simp add: on_curve_def make_affine_def)
        apply (field yz [OF False])
        apply assumption
        done
    qed
  next
    assume H: "on_curve a b (make_affine (x, y, z))"
    show "on_curvep a b (x, y, z)"
    proof (cases "z = 0")
      case True
      then show ?thesis
        by (simp add: on_curvep_def)
    next
      case False
      from H show ?thesis
        apply (simp add: on_curve_def on_curvep_def make_affine_def False)
        apply (field (prems))
        apply field
        apply (simp_all add: False)
        done
    qed
  qed
qed

lemma pdouble_infinity [simp]: "pdouble a (x, y, 0) = (x, y, 0)"
  by (simp add: pdouble_def)

lemma padd_infinity_l [simp]: "padd a (x, y, 0) p = p"
  by (simp add: padd_def)

lemma pdouble_correct:
  "make_affine (pdouble a p) = add a (make_affine p) (make_affine p)"
proof (induct p rule: prod_induct3)
  case (fields x y z)
  then show ?case
    apply (auto simp add: add_def pdouble_def make_affine_def eq_opp_is_zero Let_def)
    apply field
    apply simp
    apply field
    apply simp
    done
qed

lemma padd_correct:
  assumes p⇩1: "on_curvep a b p⇩1" and p⇩2: "on_curvep a b p⇩2"
  shows "make_affine (padd a p⇩1 p⇩2) = add a (make_affine p⇩1) (make_affine p⇩2)"
  using p⇩1
proof (induct p⇩1 rule: prod_induct3)
  case (fields x⇩1 y⇩1 z⇩1)
  note p⇩1' = fields
  from p⇩2 show ?case
  proof (induct p⇩2 rule: prod_induct3)
    case (fields x⇩2 y⇩2 z⇩2)
    then have
      yz⇩2: "z⇩2 ≠ 0 ⟹ y⇩2 ^ 2 * z⇩2 * z⇩1 ^ 3 =
        (x⇩2 ^ 3 + a * x⇩2 * z⇩2 ^ 2 + b * z⇩2 ^ 3) * z⇩1 ^ 3"
      by (simp_all add: on_curvep_def)
    from p⇩1' have
      yz⇩1: "z⇩1 ≠ 0 ⟹ y⇩1 ^ 2 * z⇩1 * z⇩2 ^ 3 =
        (x⇩1 ^ 3 + a * x⇩1 * z⇩1 ^ 2 + b * z⇩1 ^ 3) * z⇩2 ^ 3"
      by (simp_all add: on_curvep_def)
    show ?case
    proof (cases "z⇩1 = 0")
      case True
      then show ?thesis
        by (simp add: add_def padd_def make_affine_def)
    next
      case False
      show ?thesis
      proof (cases "z⇩2 = 0")
        case True
        then show ?thesis
          by (simp add: add_def padd_def make_affine_def)
      next
        case False
        show ?thesis
        proof (cases "x⇩2 * z⇩1 - x⇩1 * z⇩2 = 0")
          case True
          note x = this
          then have x': "x⇩2 * z⇩1 = x⇩1 * z⇩2" by simp
          show ?thesis
          proof (cases "y⇩2 * z⇩1 - y⇩1 * z⇩2 = 0")
            case True
            then have y: "y⇩2 * z⇩1 = y⇩1 * z⇩2" by simp
            from ‹z⇩1 ≠ 0› ‹z⇩2 ≠ 0› x
            have "make_affine (x⇩2, y⇩2, z⇩2) = make_affine (x⇩1, y⇩1, z⇩1)"
              apply (simp add: make_affine_def)
              apply (rule conjI)
              apply (field x')
              apply simp
              apply (field y)
              apply simp
              done
            with True x ‹z⇩1 ≠ 0› ‹z⇩2 ≠ 0› p⇩1' fields show ?thesis
              by (simp add: padd_def pdouble_correct)
          next
            case False
            have "y⇩2 ^ 2 * z⇩1 ^ 3 * z⇩2 = y⇩1 ^ 2 * z⇩1 * z⇩2 ^ 3"
              by (ring yz⇩1 [OF ‹z⇩1 ≠ 0›] yz⇩2 [OF ‹z⇩2 ≠ 0›] x')
            then have "y⇩2 ^ 2 * z⇩1 ^ 3 * z⇩2 / z⇩1 / z⇩2 =
              y⇩1 ^ 2 * z⇩1 * z⇩2 ^ 3 / z⇩1 / z⇩2"
              by simp
            then have "(y⇩2 * z⇩1) * (y⇩2 * z⇩1) = (y⇩1 * z⇩2) * (y⇩1 * z⇩2)"
              apply (field (prems))
              apply (field)
              apply (rule TrueI)
              apply (simp add: ‹z⇩1 ≠ 0› ‹z⇩2 ≠ 0›)
              done
            with False
            have y⇩2z⇩1: "y⇩2 * z⇩1 = - (y⇩1 * z⇩2)"
              by (simp add: square_eq_iff)
            from x False ‹z⇩1 ≠ 0› ‹z⇩2 ≠ 0› show ?thesis
              apply (simp add: padd_def add_def make_affine_def Let_def)
              apply (rule conjI)
              apply (rule impI)
              apply (field x')
              apply simp
              apply (field y⇩2z⇩1)
              apply simp
              done
          qed
        next
          case False
          then have "x⇩1 / z⇩1 ≠ x⇩2 / z⇩2"
            apply (rule_tac notI)
            apply (erule notE)
            apply (drule sym)
            apply (field (prems))
            apply ring
            apply (simp add: ‹z⇩1 ≠ 0› ‹z⇩2 ≠ 0›)
            done
          with False ‹z⇩1 ≠ 0› ‹z⇩2 ≠ 0›
          show ?thesis
            apply (auto simp add: padd_def add_def make_affine_def Let_def)
            apply field
            apply simp
            apply field
            apply simp
            done
        qed
      qed
    qed
  qed
qed

lemma pdouble_closed:
  "on_curvep a b p ⟹ on_curvep a b (pdouble a p)"
  by (simp add: on_curvep_iff_on_curve pdouble_correct add_closed)

lemma padd_closed:
  "on_curvep a b p⇩1 ⟹ on_curvep a b p⇩2 ⟹ on_curvep a b (padd a p⇩1 p⇩2)"
  by (simp add: on_curvep_iff_on_curve padd_correct add_closed)

primrec (in ell_field) ppoint_mult :: "'a ⇒ nat ⇒ 'a ppoint ⇒ 'a ppoint"
where
    "ppoint_mult a 0 p = (0, 0, 0)"
  | "ppoint_mult a (Suc n) p = padd a p (ppoint_mult a n p)"

lemma ppoint_mult_closed [simp]:
  "on_curvep a b p ⟹ on_curvep a b (ppoint_mult a n p)"
  by (induct n) (simp_all add: padd_closed)

lemma ppoint_mult_correct: "on_curvep a b p ⟹
  make_affine (ppoint_mult a n p) = point_mult a n (make_affine p)"
  by (induct n) (simp_all add: padd_correct)

context ell_field begin

definition proj_eq :: "'a ppoint ⇒ 'a ppoint ⇒ bool" where
  "proj_eq = (λ(x⇩1, y⇩1, z⇩1) (x⇩2, y⇩2, z⇩2).
     (z⇩1 = 0) = (z⇩2 = 0) ∧ x⇩1 * z⇩2 = x⇩2 * z⇩1 ∧ y⇩1 * z⇩2 = y⇩2 * z⇩1)"

end

lemma proj_eq_refl: "proj_eq p p"
  by (auto simp add: proj_eq_def)

lemma proj_eq_sym: "proj_eq p p' ⟹ proj_eq p' p"
  by (auto simp add: proj_eq_def)

lemma proj_eq_trans:
  "in_carrierp p ⟹ in_carrierp p' ⟹ in_carrierp p'' ⟹
   proj_eq p p' ⟹ proj_eq p' p'' ⟹ proj_eq p p''"
proof (induct p rule: prod_induct3)
  case (fields x y z)
  then show ?case
  proof (induct p' rule: prod_induct3)
    case (fields x' y' z')
    then show ?case
    proof (induct p'' rule: prod_induct3)
      case (fields x'' y'' z'')
      then have
        z: "(z = 0) = (z' = 0)" "(z' = 0) = (z'' = 0)" and
        "x * z' * z'' = x' * z * z''"
        "y * z' * z'' = y' * z * z''"
        and xy:
        "x' * z'' = x'' * z'"
        "y' * z'' = y'' * z'"
        by (simp_all add: proj_eq_def)
      from ‹x * z' * z'' = x' * z * z''›
      have "(x * z'') * z' = (x'' * z) * z'"
        by (ring (prems) xy) (ring xy)
      moreover from ‹y * z' * z'' = y' * z * z''›
      have "(y * z'') * z' = (y'' * z) * z'"
        by (ring (prems) xy) (ring xy)
      ultimately show ?case using z
        by (auto simp add: proj_eq_def)
    qed
  qed
qed

lemma make_affine_proj_eq_iff:
  "proj_eq p p' = (make_affine p = make_affine p')"
proof (induct p rule: prod_induct3)
  case (fields x y z)
  then show ?case
  proof (induct p' rule: prod_induct3)
    case (fields x' y' z')
    show ?case
    proof
      assume "proj_eq (x, y, z) (x', y', z')"
      then have "(z = 0) = (z' = 0)"
        and xy: "x * z' = x' * z" "y * z' = y' * z"
        by (simp_all add: proj_eq_def)
      then show "make_affine (x, y, z) = make_affine (x', y', z')"
        apply (auto simp add: make_affine_def)
        apply (field xy)
        apply simp
        apply (field xy)
        apply simp
        done
    next
      assume H: "make_affine (x, y, z) = make_affine (x', y', z')"
      show "proj_eq (x, y, z) (x', y', z')"
      proof (cases "z = 0")
        case True
        with H have "z' = 0" by (simp add: make_affine_def split: if_split_asm)
        with True show ?thesis by (simp add: proj_eq_def)
      next
        case False
        with H have "z' ≠ 0" "x / z = x' / z'" "y / z = y' / z'"
          by (simp_all add: make_affine_def split: if_split_asm)
        from ‹x / z = x' / z'›
        have "x * z' = x' * z"
          apply (field (prems))
          apply field
          apply (simp_all add: ‹z ≠ 0› ‹z' ≠ 0›)
          done
        moreover from ‹y / z = y' / z'›
        have "y * z' = y' * z"
          apply (field (prems))
          apply field
          apply (simp_all add: ‹z ≠ 0› ‹z' ≠ 0›)
          done
        ultimately show ?thesis
          by (simp add: proj_eq_def ‹z ≠ 0› ‹z' ≠ 0›)
      qed
    qed
  qed
qed

lemma pdouble_proj_eq_cong:
  "proj_eq p p' ⟹ proj_eq (pdouble a p) (pdouble a p')"
  by (simp add: make_affine_proj_eq_iff pdouble_correct)

lemma padd_proj_eq_cong:
  "on_curvep a b p⇩1 ⟹ on_curvep a b p⇩1' ⟹ on_curvep a b p⇩2 ⟹ on_curvep a b p⇩2' ⟹
   proj_eq p⇩1 p⇩1' ⟹ proj_eq p⇩2 p⇩2' ⟹ proj_eq (padd a p⇩1 p⇩2) (padd a p⇩1' p⇩2')"
  by (simp add: make_affine_proj_eq_iff padd_correct)

end